Security
7450 ESS System Mangement Guide Page 225
The hold-down is cleared after approximately the configured time in seconds after it was set.
The hold-down seconds option should be selected for protocols that receive more than one
packet in a complete handshake/negotiation (for example, DHCP, PPP). hold-down is not
applicable to a local monitoring policer. The “detection-time” will only start after any hold-
down is complete. During the hold-down (and the detection-time), the policer is considered as in
an “exceed” state. The policer may re-enter the hold-down state if an exceed packet is detected
during the detection-time countdown. The allowed values are [none|1..10080|indefinite].
Values 1-10080 in seconds
none — no hold-down
indefinite — hold down is in place until the operator clears it manually using a tools command (tools
perform security dist-cpu-protection release-hold-down) or removes the dist-cpu-protection
policy from the object.
exceed-action
Syntax exceed-action {discard | low-priority | none}
Context config>system>security>dist-cpu-protection>policy>local-monitoring-policer
Description This command controls the action performed upon the extracted control packets when the configured
policer rates are exceeded.
Default none
Parameters discard — Discards packets that are non-conformant.
low-priority — Marks packets that are non-conformant as low-priority. If there is congestion in the
control plane of the SR OS router then unmarked control packets are given preferential
treatment.
none — no hold-down
log-events
Syntax [no] log-events [verbose]
Context config>system>security>dist-cpu-protection>policy>static-policer
Description This command controls the creation of log events related to static-policer status and activity.
Default default = log-events
log-events: send the Exceed (Excd) and Conform events (e.g. sapDcpStaticExcd)
Parameters verbose — (optional) Sends the same events as just “log-events” plus Hold Down Start and Hold
Down End events. The optional “verbose” includes some events that are more likely used during
debug/tuning/investigations.
To Next Page
Loading...
